SSL Certificate Installations with Let’s Encrypt

An SSL Certificate, or Secure Socket Layer, is the industry standard way to encrypt data to and from the server. SSL Certificates allow you to visit a website with HTTPS and it turns on that little green padlock icon in the address bar. It is often required for HIPAA or PCI Compliance, since it secures sensitive information. Until recently, projects like these were the only websites that bothered with SSL Certificates, because they were (a) expensive and (b) kind of a hassle to install. A normal cert from a standard certificate authority could cost $100/yr, which can be a dissuading factor for smaller websites.

Let’s Encrypt, a new collaborate project from the Linux Foundation, is starting to change all of that. They’ve put together an open-source and automated authority that you can use to sign certificates on your own sites. The best part? It’s free, and they opened a public beta last month. This means that you don’t need an invitation in order to get free certificates from Let’s Encrypt.

Enough background, let’s dig into how to install a free cert from Let’s Encrypt on your own server.

That’s it! The auto-installer will walk through the few options that it needs in order to setup your SSL Certificate, and you’ll be able to pull up your site with https!

The above example uses the --apache flag to install the cert on an existing virtual host domain within an Apache server. There are other options, including one for nginx (It’s still experimental, and requires installing another plugin) and one to only generate the cert that allows you to take over the installation process yourself.

The biggest issue that I’ve found with Let’s Encrypt is that the certificates only last 90 days, compared to most other authorities only requiring renewals every 12 months. Luckily, they have a command line based renewal process that we can run manually every 3 months:

./letsencrypt-auto certonly --apache --renew-by-default -d domain.com

But luckily, Erika Heidi has created an update script that we can install…

# add a new cronjob with crontab
crontab -e
# append the following line
# this checks the domain to see if it needs to be renewed
# every Wednesday morning at 1:00am
0 1 * * 3 /usr/local/sbin/le-renew domain.com >> /var/log/le-renew.log